Are you safe? Dangers of XSS…

If you allow the visitors of your site to contribute, for example with a simple comment this textbox, you take the risk that a malicious user inject evil code in a comment.

This evil code is then executed in the browser by your sites’ ordinary visitors. Scripts can steals passwords (maybe your own admin account), trick the user to give up other senestive data or download malvare because they trust your site.

Always have input validation and filter you input

A common aproach is to sanitize the data with a whitelisted or blacklisted characters to eliminate dangerous characters before storing or using the data. Another, is to always html encode data when it is rendered. But it is harder than you think to get it right!

70 ways to write the same character

So you think you are smart and have a string replace or regular expression that removes “<” from the user’s input on your website to be safe? I guess you need to test again… I had too!